Blog
Blog » PRIVACY SHIELD 2.0? – THE NEW ERA OF PERSONAL DATA TRANSFERS TO THE USA
PRIVACY SHIELD 2.0? – THE NEW ERA OF PERSONAL DATA TRANSFERS TO THE USA
14 April 2022
Following the ruling of Court of Justice of the European Union in 2020, invalidating the Privacy Shield, it has become significantly more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. What changes will the new Transatlantic Privacy Shield Framework announced last month with a view to replace Privacy Shield bring for these EU companies? In this short article, we explain the principles of the new Framework and answer the above question.
1. Background
Before presenting the new Transatlantic Privacy Shield Framework (“Framework”), it is necessary to sum up the background that makes the new rules on personal data transfers between the EU and the US necessary at all.
The legislation that preceded the new Transatlantic Data Protection Framework, the so-called Privacy Shield came into force in 2016. US companies could register under the Privacy Shield and once they did so, the European Commission recognised that the US provided adequate protection for personal data transferred to such companies. This meant that no additional safeguards were needed for data transfers to such companies.
However, the GDPR, which entered into force in 2018, required a higher-level data protection from third countries. The Court of Justice of the European Union “(CJEU”) concluded in the 2020 Schrems II judgment[1] that US law did not provide adequate judicial protection for those whose personal data transferred to the US was made available to national security organisations under the relevant US rules.
Consequently, the CJEU found that the Privacy Shield did not provide adequate protection under the GDPR and invalidated it.
The Schrems II judgment has left companies transferring personal data to the US in an uncertain situation, as they could no longer transfer personal data to the US under the Privacy Shield.
EU-US data transfers have of course not stopped, but parties making such transfers should apply a complex set of rules providing other additional safeguards, most commonly the standard data protection clauses adopted by the Commission, which we have described in detail in our previous article. 1
2. Basic principles of the Transatlantic Privacy Framework
The main purpose of the new Framework is to fill the gaps in the Privacy Shield and thus provide adequate safeguards for EU-US personal data transfers.
To ensure the above, the Framework will
- allow personal data to flow freely and safely between the EU and participating US companies;
- limit the scope of personal data accessible by US national security services to the extent necessary and proportionate;
- introduce a new two-tier redress system to investigate and resolve complaints of EU individuals regarding such access, in which the Data Protection Review Court is established;
- maintain strict obligations on companies processing personal data transferred from the EU, requiring US companies to continue to demonstrate compliance with the principles set out by the US Department of Commerce.
- introduce specific monitoring and review mechanisms.
3. Next steps
The EU and US will implement the principles now agreed into their respective legal systems. The US commitments will be translated into an Executive order, which will form the basis for a Commission adequacy decision.
4. What will be the benefits of the Transatlantic Privacy Framework?
Once the Framework is established, it will significantly simplify the procedures for companies that regularly transfer personal data to the US.
In fact, the adoption of the Framework will "restore" the situation prior to the Schrems II ruling, i.e. the data processing of US companies that have registered in the Framework will be assessed by the Commission as providing an adequate level of protection.
For companies, this could provide for simpler and less costly data transfers between the EU and the US, as they will not need to apply, monitor, and amend specific standard data protection clauses to ensure the lawfulness of personal data transfers to the US.
However, it should be noted that at this stage only the principles of the new Framework have been agreed between the EU and the US, so it is likely to be a longer period before the Framework is adopted. Until then, companies should continue to apply the standard data protection clauses.
5. Summary
Following the invalidation of the Privacy Shield, the situation for companies that transfer a large amount of personal data to the US has become more difficult, as companies now should apply specific data protection clauses to each transfer to the US.
The EU and the US would address this problem by establishing the Transatlantic Privacy Framework.
Based on the recently adopted principles of the Framework, the US will provide the effective legal protection that has been missing until now, as well as the right to an adequate judicial remedy for those whose personal data are made available to US national security organisations.
Adoption of the Framework would significantly make it easier to transfer personal data from the EU to the US, but this is likely to be a long time coming, so companies will need to apply the general data protection clauses to their transfers in the meantime.
[1] Case No. C-311/18
-
TIME IS MONEY! - PART IV – FLEXIBLE WORKING ARRANGEMENT AND FLEXITIME – DO WE HAVE TO PAY OVERTIME?
In the latest part of our series, we discussed the rules of irregular work scheduling, i.e. working time banking and payroll period in Hungary. In this article, we discuss the cases when employer transfers the right to schedule working time to the employee in whole or in part. In view of the COVID-19 pandemic situation and the widespread Home Office working arrangement, this type of working time schedule is becoming more and more popular, so we consider important to examine this institution.
Read more » -
HUNGARY: WHAT CLAIMS CAN THE ASSIGNEE LITIGATE AGAINST THE DEBTOR?
The assignment of claims is a common practice in business, yet under Hungarian law it has not been clear what rights are transferred to the new owner of the claim, and what claims can be litigated by the assignee. It has been also unclear whether the assignor and assignee can determine the extent of the rights transferred by assignment. Due to the recent decision of the Hungarian Supreme Court, that we analyse in this article, the picture has become clearer.
Read more » -
HOW TO SUE US RESIDENTS IN HUNGARIAN COURTS THROUGH ANCHOR-DEFENDANTS?
Based on the basic principle of international civil litigation, a person can usually be sued only in the courts of his or her own country. However, this makes it very difficult for a claimant who wants to enforce his rights against several defendants living in different countries. Can the jurisdiction of Hungarian courts existing in respect of a domestic defendant (the so-called anchor defendant) be extended to other, foreign defendants as well? In this article, we analyse the practical application of the new rules entered into force in 2018, based on a recent decision of the Hungarian Supreme Court.
Read more »